From 3ab1673552234850cf28f2d1e9fb537b8dcde90e Mon Sep 17 00:00:00 2001
From: James Rasell <jrasell@users.noreply.github.com>
Date: Thu, 27 Mar 2025 13:58:06 +0100
Subject: [PATCH] sec: Suppress GO-2025-3543 for github.com/opencontainers/runc
 (#25536)

The vulnerability has been withdrawn but it may be a while until
it is removed from the DB used by scanning. Suppressing this
removes the false result in scanning processes. The change should
be reverted once the DB is updated.
---
 .github/scan.hcl           | 3 +++
 .release/security-scan.hcl | 1 +
 2 files changed, 4 insertions(+)

diff --git a/.github/scan.hcl b/.github/scan.hcl
index 436c9d205..167ba9334 100644
--- a/.github/scan.hcl
+++ b/.github/scan.hcl
@@ -44,6 +44,9 @@ repository {
   # periodically cleaned up to remove items that are no longer found by the scanner.
   triage {
     suppress {
+      vulnerabilities = [
+        "GO-2025-3543", // github.com/opencontainers/runc TODO(jrasell): remove once withdrawn from DBs.
+      ]
       paths = [
         "ui/tests/*",
         "internal/testing/*",
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
index 2793ded7e..ccfeb3a27 100644
--- a/.release/security-scan.hcl
+++ b/.release/security-scan.hcl
@@ -30,6 +30,7 @@ binary {
     suppress {
       vulnerabilities = [
         "GO-2022-0635", // github.com/aws/aws-sdk-go@v1.55.6 TODO(jrasell): remove when dep updated.
+        "GO-2025-3543", // github.com/opencontainers/runc    TODO(jrasell): remove once withdrawn from DBs.
       ]
     }
   }